Native Entra ID LoginTC MFA
Integrate LoginTC natively with External Authentication Method for Entra ID / Azure AD. No additional on-premises infrastructure required. See Microsoft Entra ID External Authentication Methods (EAM) for more information.
The LoginTC AD FS Connector protects access to your Microsoft Active Directory Federation Services (AD FS) by adding a second factor LoginTC challenge to existing username and password authentication. The LoginTC AD FS Connector provides a LoginTC multi-factor authentication (MFA) method to your AD FS deployment, used by your Office 365.
Subscription Requirement
Your organization requires the Business or Enterprise plan to use the LoginTC AD FS Connector. See the Pricing page for more information about subscription options.
After entering the username and password into the AD FS login page, the user is shown a selection of second factor options. The user clicks a button to receive a LoginTC push notification, authenticates and is logged in.
Prefer Reading a PDF?
Download a PDF file with configuration instructions:
Before proceeding, please ensure you have the following:
Working Office 365 Federation Deployment
It is strongly recommended that you have a working Office 365 deployment with federation against your on-premise AD FS prior to adding LoginTC multi-factor authentication. You may use the Microsoft Azure AD Connect tool to deploy an on-premise AD FS and connect it to your Office 365/Azure AD.
Start by creating a LoginTC Application for your deployment. An Application represents a service (e.g. An application is a service (e.g., VPN or web application) that you want to protect. e) that you want to protect with LoginTC.
Create a LoginTC Application in LoginTC Admin Panel, follow Create Application Steps.
If you have already created a LoginTC Application for your deployment, then you may skip this section and proceed to Installation.
Normalize Usernames
Usernames in ADFS are typically in the form “CORP\john.doe”, while in the LoginTC Admin Panel it is generally more convenient to simply use “john.doe”.
Configure Normalize Usernames
from the Domain settings by navigating to Domains > Your Domain > Settings.
Select Yes, Normalize Usernames
scroll down and click Update
.
Windows Server 2016 (AD FS version 4.0)
The instructions below are for AD FS (version 4.0) running on Windows Server 2016. If you have AD FS (3.0) running on Windows Server 2012 R2, see AD FS Configuration in Two-factor authentication for AD FS on Windows Server 2012 R2.
Windows Server 2019
If you are installing the LoginTC AD FS Connector on Windows Server 2019 you are required to run the following PowerShell command to allow the AD FS login page to embed the LoginTC authentication options:
Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "frame-src 'self' https://cloud.logintc.com"
Your AD FS login will now present the user with a secondary LoginTC authentication page.
UsageThe user proceeds to the Office 365 portal as they normally would and enter their username.
After entering their username at the Office 365 portal, the user is brought to your on-premise AD FS where they are prompted to enter their username and password.
After successfully authenticating with their username and password, the user is presented with options to log in with LoginTC. The user may select to authenticate using LoginTC push, bypass codes, or OTPs.
If the user selects LoginTC push, they are informed to approve the LoginTC request on their device. The user is also presented with an option to remember their LoginTC login choice. The next time the user logs in they will automatically receive a LoginTC push notification. The user may also cancel the login attempt and return to the login page.
The user receives a push notification on their device where they have provisioned their LoginTC token.
After successfully authenticating with LoginTC, the user is redirected to their Office 365 portal.
The LoginTC AD FS Connector logs events to the Microsoft Event Viewer under Applications and Service Logs → LoginTC. In some cases, it may be helpful to also look at the general AD FS logs under Custom Views → ServerRoles → Active Directory Federation Services.
To uninstall the LoginTC AD FS Connector, simply navigate to the Add or remove programs in the Windows Control Panel, find LoginTC AD FS Connector in the list and follow the prompts.
Prior to Uninstalling
Prior to uninstalling the LoginTC AD FS Connector, ensure that the LoginTC MFA method is not being used in any of your AD FS authentication policies. The uninstallation will fail if the LoginTC MFA method is being used in any of your AD FS authentication policies.
To uninstall the LoginTC AD FS Connector, simply navigate to the Add or remove programs in the Windows Control Panel, find LoginTC AD FS Connector in the list and follow the prompts.
Prior to Uninstalling
Prior to uninstalling the LoginTC AD FS Connector, ensure that the LoginTC MFA method is not being used in any of your AD FS authentication policies. The uninstallation will fail if the LoginTC MFA method is being used in any of your AD FS authentication policies.
Email Support
For any additional help please email support@cyphercor.com. Expect a speedy reply.
You may also be interested in our: